Status, the mobile OS built for Ethereum announced today that Déjà Vu Security, a leading Ethereum security expert completed a security audit in preparation for the release of Status Beta.
Contracted in Q1 ’18, Déjà Vu Security performed an extensive review of the Status codebase as well as manual penetration testing.
The scope of the audit, which covered the Status react and Status go repositories, is outlined below.
- Transaction signing authorization
- Forgery of malicious transactions from within a ÐApp
- The integrity of views utilized by customers for reviewing and auditing transactions
- Disclosure of sensitive information to unauthorized third parties
- Private key generation and derivation
- Public key exchange procedures between Status clients
- Cross-account privilege escalation on a user’s device
- Testing on iOS and Android platforms
- Timeboxed, code assisted penetration testing of ÐApp Javascript evaluation in jailed contexts
Déjà Vu uncovered 4 major issues, which have now been resolved:
- Improper Storage of Mnemonic Passphrases in Status.im Android Client
- Improper Storage of Mnemonic Passphrases in Status.im iOS Client
- Chat history persisted after the chat was deleted
- Web3 Management APIs enabled
Getting ready for Beta and V1
The Status team said:
“Finishing the security audit prior to the release of Status Beta is not only essential to our roadmap, it’s foundational to our approach to our community and their security. We want to make sure we create the best possible experience for everyone who downloads and uses Status.”
Déjà Vu Security is a key contributor to the security audits of Go Ethereum, they were selected by Status because they’re a trusted partner in the Ethereum community with extensive smart contract experience. They will also be a partner of Status post-Beta release as they prepare for the release of v1.
Discussion about this post